If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
• Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)

Staggering Statistics

Types of Incidents resulting in Breach - all time from DataLossDB.org

Types of Incidents resulting in Breach - YTD 2009 from DataLossDB.org

All of this regulation and legislation covers day-to-day activities surrounding quarterly and annual reporting, personally identifiable information storage and protection, information security policies and appropriate retirement and disposal of files and data.  Much of the legislation was in response to rising problems with identity theft, corporate scandal or high profile private records breach.  The exposure numbers are staggering.  According to statistics collected by the Open Security Foundation, there was a 117 fold rise in data security breaches since 2000 and 400% escalation in breaches since 2005.  In 2005, the Federal Trade Commission estimated 3.7% of the US adult population were victims of a records breach.  By 2008, breach notifications affected 84 Million records, approximately 5.6% of the population.  17% of those breaches were based on paper losses, such as check stubs, account statements or other printed documents.  However, the other 83% of the breaches reported involved electronic records, accounting for over 98% of the total records lost.  The two graphs denote the source of the losses, with a consistent 36% breach rate because of theft or loss, but an interesting 9 point upswing this year (8% vs 17%) because of lost equipment or improper document disposal.  Some of the categories (like lost tapes) have been nearly eliminated in recent years by industry best practices and paradigm shifts.

Dumpster Diving for PII

So how is it that Mr. Steve Hunt happened across a treasure trove of private financial information lying in a dumpster behind what he describes as a “big bank in a big city”.  The bank hired Hunt’s company, Hunt Business Intelligence, and was surprised at the results, finding check stubs, bank statements, wire transfer information and even a computer from the “Chicago Board of Trade”.  There are obviously policies regarding file disposal, especially at any large banks to comply with the legislative requirements.  Checks, bank statements, files and other paper should be shredded.  Computer equipment should see more than simply file deletions – they at least require the digital equivalent of shredding and some regulations expect physical destruction of hard drives.  So how does a privacy professional work around this sort of data exposure problem when policy is absolutely ignored?

“There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said.  Mr. Hunt is referring to not only the lost bits in use on the device, which privacy and security professionals obsess over with technologies such as DLP (Data Loss/Leakage Prevention), but also losses where the data reside, be it paper bank statements, backup tapes, or used hardware disposal methods.  We see time and time again how smaller devices facilitate loss or theft, thereby impacting privacy, with examples ranging from memory stick losses at a prison,  a USB drive compromising major intelligence operations or stolen laptops and smartphones.  But most of the items Hunt calls out are not the ultra-portable electronics; they’re examples where companies apparently forget policy in the name of cleanliness - rejected Xerox copies, unclaimed faxes and a third party computer (which no one probably knew what to do with and someone finally grew tired of looking at).

Although Hunt called out pretty significant personal details uncovered on the papers retrieved, statistics, logistics and plain old physics consistently point to electronic records as the bigger picture.  You simply can’t compromise as much paper information without a tractor-trailer and physically being in a location.  It might only take Hunt 3 minutes to find items in the trash, but the planning and execution (and lingering odor) may encompasses hours.  The risk is also significantly more tangible to the perpetrator than a remote, network-based attack – instead of an air conditioned room and a laptop, a dumpster diver faces police and private surveillance, neighborhood watches, and the physical stigma of traipsing through the trash.  This likely deters all but the most determined adversary.  So don’t forget proper paper disposal: it’s well understood and it will place your company in the news 17% of the time, but realize that it amounts to 2% of the total disclosure problem.

An Inventory of Assets

Corporations should already have an inventory of assets in this age of eDiscovery.  A chart of who owns what equipment and what’s stored on it will allow you to meet court demands, quickly figure out what you should have at any moment of time and where to look when data are needed later.  At a minimum this includes such IT items as servers, desktops, laptops and smart phones, regardless of their owner, as well as any hardware off site.  This should help avoid mysterious losses of equipment like a laptop in the trash.

Information Lifecycle Mapping

Better still: enterprise information lifecycle mapping will go much further in defining what information may be at risk due to loss, theft or policy failure.  In dealing with privacy data, lifecycle mapping shows what data are being created during collection, for what use and purposes, in what formats the data are retained, and most importantly, delineate who has disclosure access to each piece of information.  This is especially useful in multi-sector corporations and third party / marketing vendor relationships, where management and administration of data flows must be reconciled across large population swaths.  Lifecycle controls also allow monitoring of customer opt-in and opt-out decisions and appropriate enforcement of policies.

Mitigating Data Recovery Risks

The recovered laptop’s battery was drained, but Hunt says, ”I know how to connect to a hard drive.” Would the laptop have been susceptible to recovery as Hunt suggested? Up until ten months ago in Indiana, the laptop wouldn’t require a breach notification, as long as the system had a password installed on the machine.  Anyone in the security industry will tell you how easy it is to circumvent or recover a user name and password, especially if that’s the best protection on the system.  My information security professor back in college regularly emphasized, “Once you get your hands on the hardware, all bets are off”.  So what may be done to manage this risk?

Cryptography eliminates disclosure risks?

Most states, including Indiana since their requirements change, expect encryption will provide adequate protection from information loss, and therefore do not require breach notifications for cryptographically secured equipment loss.  Cryptography is impressive, effectively eliminating data-at-rest risk in most instances where the equipment is turned off.  (There are plenty of cryptography protection examples for data-in-transit or data-in-use we’ll leave for another time.)    Encryption is not the disclosure panacea.  There are sometimes flaws in software code and, even when properly executed, eventually the mathematics behind encryption systems age.  Then there are security revelations, such as the Cold Boot presentation last year.  Security researchers at Princeton successfully circumvented military grade encryption, not by cracking the mathematics, but by taking notice of a peculiarity in how encrypted computer systems operate, and more importantly how users operated the computer systems.

Hard Disk Data Remanence

Everyone should be familiar with a computer’s “Recycle Bin”, the place where “deleted” files stay until the second stage deletion (empty recycle bin on Windows) removes the file.  Even that second stage doesn’t really delete the file.  The OS removes the file’s header information, and frees the occupied locations for writing.  Liken it to simply tearing off the top page of a fax and flipping the pages over to write on.  The short version: if you’re serious about deleting private information on decommissioned equipment, keep the encryption and ‘erase’ the disks following the old DoD policies, where drives are overwritten multiple times with a specific pattern.   That’s better than best practices and will easily avoid any sorts of negligence findings anywhere in the near future.  However, another security researcher named Peter Gutmann took notice of how the DoD drive erasure security process was actually implemented and determined that data were recoverable unless erasure was manufacturer and model specific – with rewrites of up to 35 times.  The DoD found the lengthy process of overwriting disks according to Gutmann’s studies too costly, and now most often uses NSA approved Degaussers to literally rip the bits off the drive.  A third alternative entails physically shredding the hard disks like paper records.

Third Party Equipment

The Chicago Board of Trade did well by labeling their equipment so it may be identified.  It appears they probably missed the mark by leaving off an easy to use contact method or shipping address.  Contracts for third party vendors must take into consideration loaned equipment installed on customer premises.  Mistakes made by third party vendors bring shame to their organization, but more than likely breach notifications will go out on your corporate stationary.  Regular compliance audits (including dumpster dives if you wish) and data lifecycle management are crucially important as the primary vendor.  All of these activities will help manage corporate risk.

Disposal Policy Conclusions

With each improvement in security technology, someone eventually notices a problem with how it’s implemented or nuances of actual usage, as evidenced specifically in the examples from both the Princeton folks and Gutmann.  Avoid complete technology reliance and prepare for the latest system’s failure.  Follow best practices relating to security & disposal, document the modifications into processes and write policies to manage the gaps.  Always be prepared to account for numb skulls in your organization – audit your processes and staff and you may be surprised at what you find.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B),
• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management (Data Recovery and Disposal Policy )and Compliance and Incident Management
• Policy (Foundations: I.C) including: Internal use and disclosure, Third Party Relationships
• Data Lifecycle (Foundations:I.E.vi) including: Collection, Use & Retention, Disclosure, Management & Administration and Monitoring & Enforcement
• Information Security (II.C) including: Encryption(data-at-rest and disk encryption), Asset Management (asset inventory & information classification), Threats & Vulnerabilities, (Data remanence and Dumpster diving)